×

Efficiently throttling user authentication

  • US 8,898,752 B2
  • Filed: 02/01/2012
  • Issued: 11/25/2014
  • Est. Priority Date: 02/01/2012
  • Status: Active Grant
First Claim
Patent Images

1. At an authentication server computer system including at least one processor and a memory, in a computer networking environment including a plurality of computing systems, a computer-implemented method for efficiently authenticating users while preventing enumeration attacks, the method comprising:

  • an act of receiving user login credentials from a user at a specified time, the user login credentials including a user identifier and a password;

    an act of the processor making at least one of the following determinations;

    determining that the user identifier does not match any existing user account;

    determining that the user identifier matches at least one existing user account, but the user'"'"'s account is in a locked state; and

    determining that the user identifier matches at least one existing user account, but the user'"'"'s password does not match the user identifier;

    an act of generating a variable delay based on the time the login credentials were received at the authentication server computer system, the generated delay accounting for the amount of time taken by the processor to make the at least one determination, the generated delay ensuring that each response message is returned to the user at substantially the same elapsed time since the user'"'"'s login credentials were received, regardless of which determination was made, the length of the delay is variable and is dynamically generated for each login attempt to ensure that each response is sent after the same amount of time has elapsed since the user'"'"'s login credentials were received; and

    upon application of the generated delay, an act of returning to the user the same response message regardless of which determination is made, the response message indicating that the user'"'"'s login credentials are invalid, wherein the response message prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×